1. Field of the Invention
The present invention relates to a network system which is employed in the access to servers via networks from client terminals.
This application is based on patent application No. Hei 10-146372 filed in Japan, the contents of which are incorporated herein by reference.
2. Description of the Related Art
Conventionally, in LAN (local area network) environments in corporations, various types of controls necessary for the main business were employed, so that the connection of the LAN system or the like via the internet has been difficult as a result of problems regarding the advisability of protocols for passage through firewalls to be described hereinbelow, and the like.
However, recently, as a result of the penetration of distributed computing technologies and the spread of Java, it has become possible to construct network systems by means of connecting company-wide LAN systems via the internet. Here, when this type of network system is constructed, by means of installing a firewall, security is maintained.
Here, a firewall is a system which is installed at the point of attachment between the information system itself and the internet, and which serves the function of a firewall; it prevents the unpermitted intrusions from unauthorized individuals and keeps out computer viruses.
Furthermore, in network systems having firewalls such as that described above, there may be limitations in accordance with security policies with respect to classifications of protocols which may be employed in this environment, and thereby, by disallowing the passage of freely selected protocols, security is maintained.
FIG. 5 shows the outlines of the composition of the conventional network system described above. In this figure, reference 1 indicates the internet, in which a plurality of networks are connected to one another, and in the example shown in FIG. 5, internet 1 connects the LAN of company A and the LAN of company B. In company A, reference 2 indicates a database server which stores various databases in a storage unit, and this is connected to internet 1 via firewall 3.
It is only possible for authorized terminals to access the database server 2 via firewall 3. Unauthorized terminals are incapable of accessing database server 2 through firewall 3. Reference 4 indicates a public WWW (world wide web) server which is connected to the internet 1, and this is freely accessible by any terminal irrespective of its authorized or non-authorized status.
In company B, reference 5 indicates a database server which stores various databases in the storage unit thereof; this is connected to internet 1 via firewall 6. Only authorized terminals are capable of accessing this database server 5 via firewall 6. Reference 7 indicates a public WWW server which is connected to internet 1, and this server is accessible by terminals irrespective of their authorized or non authorized status. Reference 8 indicates a company internal WWW server which is connected to internet 1 via firewall 6; this company internal WWW server 8 may be accessed via firewall 6 only by authorized terminals.
FIG. 6 shows the main parts of the composition of a conventional network server. In this figure, reference 9 indicates a client terminal which is installed on the client side and is connected to internet 1. This client terminal 9 conducts access to the WWW server 13 and the database server 19 described hereinbelow via internet 1. In client terminal 9, reference 10 indicates a client application program which is executed by client terminal 9; this program serves to conduct communication control, encryption control, protocol control, and the like. Furthermore, the client application program 10 is a program which is executed when other company-side applications are employed from client terminal 9 via internet 1. Reference 11 indicates an encrypted communication control unit, which has the function of controlling an encoding dedicated protocol for conducting encryption and decoding of data grams passing through specified protocol service ports defined in advance, irrespective of the attributes of the data (for example, an SSL or secure socket layer). Reference 12 indicates a session management unit which manages the sessions.
WWW server 13 is connected to internet 1 via firewall 14, and is a terminal which functions using the startup from client terminal 9 as an opportunity. Here, a plurality of ports are provided in firewall 14, and these ports may be broadly classified into standard ports for the communication of protocols from unauthorized client terminals 9, and security communication ports for communicating only those protocols from authorized client terminals 9.
In the WWW server 13 described above, reference 15 indicates an encrypted communication control unit having a function identical to that of the encrypted communication control unit 11 described above. Reference 16 indicates a session management unit which manages the sessions. Reference 17 indicates a server application program which is executed by WWW server 13, and which is employed in the control of communications with client terminals 9. Reference 18 indicates a DB (database) communication control unit which conducts the control of access to database 20 described hereinbelow. Database server 19 stores database 20 in the memory unit thereof.
Here, the operation of the network system shown in FIG. 6 will be explained using the operations explanatory diagrams shown in FIGS. 7A and 7B. FIG. 7A serves to explain the access operation from unauthorized company external client terminals 91, while FIG. 7B serves to explain the access operation from unauthorized and authorized client terminals 91 and 92.
Here, in FIGS. 7A and 7B, client terminal 91 corresponds to one unauthorized client terminal 9 in FIG. 6, and is located outside the company. Client terminal 92 corresponds to a different authorized client terminal 9 in FIG. 6, and is also located outside the company.
The firewalls 14 shown in FIGS. 7A and 7B have ports PA and PB, and ports PA are ports which are assigned the port number #80, and which are installed for the purposes of access from an unspecified large number of client terminals. Accordingly, the port number #80 of port PA described above is public. On the other hand, port PB is provided with a port number #X, and is installed for the purposes of access from authorized client terminals 92. Accordingly, this port number #X of ports PB is a number which may only be employed in communications by the clients of client terminals 92 which have authorization. In other words, access to ports PB is only possible from specified client terminals 92.
The public server 131 and private server 132 shown in FIGS. 7A and 7B correspond to the WWW server 13 shown in FIG. 6. Here, a client terminal 91 is provided with access to public server 131 via internet 1 and port PA of firewall 14. On the other hand, a client terminal 92 accesses private server 132 via internet 1 and the port PB of firewall 14. Reference 21 indicates a client terminal located within the company; since security is maintained on the inside of the firewall, this terminal may directly access public server 131 and private server 132.
In FIG. 7A, the unauthorized client terminal 91 commonly accesses public server 131 through port PA of firewall 14 using http (hypertext transfer protocol). At this time, the http described above is capable of passing through port PA.
Here, when an attempt is made to access private server 132 from client terminal 91, since the client of client terminal 91 does not know the port number #X of port PB, it is impossible to pass through the firewall 14. In other words, the http from client terminal 91 is not capable of passing through port PB, so that no communication is established between client terminal 91 and private server 132. Accordingly, in this case, client terminal 91 is incapable of accessing private server 132, and security is maintained.
On the other hand, in FIG. 7B, in the case in which client terminal 92 attempts to access private server 132, client terminal 92 employs the security communication dedicated protocol, and first accesses port PB. At this time, the protocol described above is capable of passing through port PB, so that client terminal 92 is capable of accessing private server 132.
In the conventional network system described above, more secure communication between companies are realized using a firewall; however, the needs are great.
However, in the firewall environment of the network system described above, the structure is one in which firewalls having a distributed structure are distributed stepwise in a plurality of steps, so that this presents a problem in that in order to enable a passage of a single new protocol through the firewall, an enormous amount of preparation and work are required. Examples of this preparation and work include the resetting of the firewall ports shown in FIG. 6, and the modification of the use of the client application program 10 and the server application program 17.
Here, the problems of the conventional network system will be explained with reference FIG. 8.
In FIG. 8, in the parts corresponding to FIGS. 7A and 7B, the same reference numbers are employed. In company A shown in FIG. 8, reference 14A indicates a firewall having a function identical to that of the firewall 14 shown in FIG. 7; this is provided between internet 1 (see FIG. 6) and public server 131A and private server 132A. Here, firewall 14A is provided with ports PA and PC.
The port PA described above is given the port number #80, and is a port which is provided for the purposes of access from an unspecified large number of client terminals. On the other hand, port PC is given the port number #Y, and is provided for the purposes of access from authorized client terminals 92 (distributed computing communications). This port PC is the security dedicated port. Accordingly, the port number #Y of PC may be employed in communications only by the clients of the authorized client terminal 92. In other words, only specified client terminals 92 are capable of accessing port PC. Reference 21A indicates a client terminal which is installed in company A, which accesses public server 131A and private server 132A.
Furthermore, in company B, reference 14B indicates a firewall which is provided between internet 1 and private server 132B, and this is also provided with port PD and port PC which is dedicated to distributing computing communication. Port PC described above is provided with port number #Y, while port PD is provided with a port number #Z. The port number #Y of port PC makes possible communications only from clients of the authorized client terminal 92. The ports PC and PD are security dedicated ports.
In the structure described above, unauthorized client terminal 91 commonly accesses public server 131A via the port PA of firewall 14A using http (hyper text transfer protocol). At this time, this http is capable of passing through port PA. Client terminal 91 is incapable of accessing the servers through port PC of firewall 14A and ports PC and PD of firewall 14B in the same way as in the operations described above.
On the other hand, when access is conducted from client terminal 92 to private server 132A, client terminal 92 first accesses port PC of firewall 14A using a security communications dedicated protocol. At this time, this protocol is capable of passing port PC, so that client terminal 92 is capable of accessing private server 132A.
Here, the case is explained in which the client terminal 92 accesses the private server 132B via port PC of firewall 14B, in the state in which the firewall 14B has already been allocated for other service protocols.
In this case, port PC is closed, so that it is necessary to establish port PD in firewall 14B. The information regarding this modification of the port setting must be communicated to the manager of client terminal 92.
Here, a port management unit 22, which manages the port data in the plurality of firewalls, is provided in client terminal 92.
Here, in the conventional network system (see FIG. 8), in order to realize distributed computing, access should be made possible from client terminal 92 and the like to all destination systems (systems within other companies) in which all necessary functions (server applications) are present, and security control for satisfying all security policies is conducted.
However, as explained with reference to FIG. 8, in conventional network systems, the port setting modification rules differ from company to company, and this increases the complexity of the management of definitional data to port managing unit 22, and makes the control more complex.
Accordingly, in order to add conditions for port setting of this type, and to conduct the execution of applications with respect to work units, it is necessary to research and develop extremely complex installation methods. In particular, with respect to changes in installation with respect to security matters, this is a necessary and extremely serious matter for consideration for the company units, and represents an obstacle to the rapid realization of such systems.
For this reason, it is an object of the present invention to provide a network system which does not require individual security dedicated ports for the establishment of firewall security.
In this invention, the network system is provided with authorized client terminals connected to the network, with a server connected to the network, and with a firewall which is interposed between the server and the network. The object described above may be obtained by means of a server for a network system which, in the case in which, when a client terminal accesses the server by means of a public protocol via a port with a publicly known port number in a firewall, the accessing client terminal is an authorized terminal, downloads to the client terminal, via the port with the publicly known port number, a program for realizing effective dedicated control solely between the client terminal and server, conducts data communication with the client terminal via the network and the port with the publicly known port number by means of the dedicated control.
In the present invention, by means of using dedicated control, the port in the firewall is constantly a port with a known port number. Accordingly, port management on the client terminal side is unnecessary. By means of this, it is possible to obtain a network system which does not require independent security dedicated ports to establish firewall security.
Furthermore, in the network system, in the case in which there is a proxy server which conducts the port switching in the firewall, the network server communicates the first port to the client terminal as the communication port, and sets the port it itself employs as a second port having a port number other than the publicly known port number. Additionally, the network server conducts data communication with the client terminal via the networks, the firewall, and the proxy server using the dedicated protocol.
By means of this, even in the case in which a proxy server is installed in the network system, it is possible to obtain a network system which does not require an independent security dedicated port in order to establish firewall security.
The network system server preferably conducts the encryption and decoding of data in the data communication.
By means of this, an effect is obtained whereby secure communications are realized.